Facebook Submits GDPR Breach Notification to Irish Watchdog

The interior of Facebook's European headquarters in Dublin (Photo: Facebook)

Facebook, which has its European operations based in Dublin, has notified its relevant data protection authority - the Irish Data Protection Commission - that it suffered a massive breach that put 50 million users at risk. The social network is also forcing 90 million users to log back into their accounts (see 50 Million Facebook Accounts Breached).

Whoever breached Facebook was able to exploit a privacy feature on the site. Facebook, however, says it's still investigating whether this attack was targeted. It's unclear too how many third-party services that allow single sign-on via Facebook may also have been breached.

"We've notified the Irish Data Protection Commission in accordance with our obligations under GDPR," Guy Rosen, Facebook's vice president of product management, said in a Friday press briefing.

Already, however, the DPC, which enforces the country's data privacy laws, has signaled that it finds Facebook's breach report to have been incomplete.

Under the EU's General Data Protection Regulation, which went into full effect on May 25, organizations that suffer a serious breach involving Europeans' personal data must report the breach to relevant authorities within 72 hours of becoming aware of it. Failure to do so, as well as more general information security shortcomings, can expose an organization to steep fines.

Breach Details Required

The U.K. Information Commissioner's office, which is the country's DPA, has told organizations that it doesn't just want a heads-up that an organization has been breached, but rather than it expects to see substantial details about the breach and its impact on victims, all within the 72-hour time frame (see Under GDPR, Data Breach Reports in UK Have Quadrupled).

In July, Laura Middleton, who heads the ICO's personal data breach enforcement team, warned that "the 72 hours isn't just to email or phone us" with a heads-up about a breach, but rather to provide a report to the ICO including a number of details it specifies on its website

Regulator Seeks Urgent Clarifications

Already, Ireland's DPC has signaled via Twitter that it finds Facebook's data breach report incomplete. "The DPC is concerned that this breach was discovered on Tuesday and affects millions of users," it says. "At present, Facebook is unable to clarify the nature of the breach and risk to users. We are pressing Facebook to urgently clarify these matters."

Facebook data breach. The DPC is concerned that this breach was discovered on Tuesday & affects millions of users. At present Facebook is unable to clarify the nature of the breach & risk to users. We are pressing Facebook to urgently clarify these matters. #dataprotection

Later on Monday, Facebook said that it was working to provide additional details as quickly as possible.

We're working with regulators including the Irish Data Protection Commission to share preliminary data about Friday's security issue. As we work to confirm the location of those potentially affected, we plan to release further info soon. https://t.co/Cs1uSMtBNk

Steep Potential Fines

Any organization that fails to alert authorities to a breach in a timely manner, as well as to provide required information, can find itself at the receiving end of stiff fines.

Organizations that fail to comply with GDPR can face fines of up to 4 percent of an organization's annual global revenue or €20 million ($23 million), whichever is greater. Separately, organizations that fail to comply with GDPR's reporting requirements also face fines of up to €10 million ($12 million) or 2 percent of annual global revenue.

In 2017, Facebook's annual global revenue was $40.7 billion, meaning that if it was found to have violated both GDPR and the reporting requirements, it would face a theoretical maximum $2.4 billion fine.

At Risk: Facebook Social Login

Meanwhile, the breach also puts at risk anyone who ever used Facebook social login, a feature that allows users who are logged into Facebook to automatically log into other sites.

Behind the scenes, Facebook generates an access token, allowing for the single sign-on behavior, which it can also share with any other sites designated by a user, to automatically log them into that site as well.

"In line with GDPR, those external systems and apps also need to notify Data Protection Authorities in case of a suspected breach," Lukasz Olejnik, an independent cybersecurity and privacy researcher, says via Twitter.

In line with #GDPR, those external systems and apps also need to notify Data Protection Authorities in case of a suspected breach. A breach should be suspected. Potentially huge. https://t.co/yaDSsBbQ70

Information security experts caution that the increase in breach reports does not necessarily mean that there has been an increase in the quantity of breaches hitting European organizations.

"Since the GDPR was introduced in May, what we are seeing is an increase in the reporting of the breaches that are happening," Brian Honan, who heads Dublin-based cybersecurity firm BH Consulting, has told Information Security Media Group. "So there is not necessarily an increase in the number of breaches since May 25, but rather we now have better visibility on data breaches."

Privacy Complaints Increase

Europeans who believe that their personal data has been misused have also been filing a record number of complaints with privacy authorities.

In the four months since GDPR enforcement began on May 25, France's CNIL says that it has received 3,767 complaints about organizations' data privacy practices, compared with the 2,294 complaints that it received over the same four-month period in 2017, which was already a record year. "This represents an increase of 64 percent and reflects the fact that citizens have strongly seized on GDPR," CNIL says. "This is undoubtedly due to a recent media spotlight on data protection" that it notes is being driven not only by GDPR but also Facebook's Cambridge Analytica scandal.

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.eu, you agree to our use of cookies.